I have found the Risk Analysis and Risk Management parts of HIPAA compliance to be one of the bigger bugaboos of mental health private practice. The HIPAA Security Rule has always required that clinicians conduct an “accurate and thorough” analysis of security risks in our practices and document what we found. For example, you’d find things like:
- “My computer has records on it that can be accessed by a thief if the computer is stolen”
- “I am sending all kinds of confidential information through unsecure email”
Risk analysis means finding risks like the ones above throughout your practice. You then make a risk management plan for reducing these security risks to “reasonable and appropriate levels.” For example, you’d document plans like:
- “I will encrypt my computer”
- “I will make a policy for how I use email safely”
What the Rule doesn’t address is how we’re supposed to go about doing this.
HIPAA is written so that it “scales” — bigger clinics have different expectations from solo practices. This “scaling up and down” can fail, however, at the solo practice level where we don’t have office staff whose job is analyzing security problems and addressing them.
One of the problems I and colleagues like Rob Reinhardt and Clinton Campbell have been working on in that past few years is the question of how do we make the Risk Analysis and Risk Management planning requirements of HIPAA “scale down” to be achievable by solo mental health clinicians.
Here is what I think works:
1) The Power of Consult Groups
HIPAA compliance does not hinge on hiring a professional to perform your risk analysis. HIPAA requires that your risk analysis be “accurate and thorough.” The Feds have also published guidance to help small practices do risk analysis and risk management planning (link below.)
Many of us have been in consult groups for a long time. One of my favorite tech consulting gigs was when I met via online video chat with a clinical consult group that was working together on mutually developing a risk analysis and management plan for each member. They used the jointly purchased time to get expert advice on filling in holes in their analyses and getting ideas for ways to reduce their identified risks.
Here are my tips for doing the group-based DIY risk analysis and risk management planning:
- Get your group together and work on risk analysis and management plans mutually. This may take a few sessions and much time, including trial and error, to do properly.
- Someone with good knowledge of digital tech — or who is at least comfortable with fiddling with tech and/or researching it — could be valuable. If you don’t have one, invite a newer and/or younger therapist to the group. They’ll get access to mentoring and experience and you’ll get access to someone comfortable with tech.
- Do remember, however, that people entering the profession as a second calling often have technical experience from being in the business world, where using digital tech is seen as much more vital than in the mental health fields. So be careful of assuming that “tech savvy” is the same as “young.”
- Read the federal government’s guidance document on doing risk analysis in small practices. You may need that more technical-minded group member to help make sense of it:
- Read free articles on the Person-Centered Tech website that help identify common risks in our practices as well as provide ideas and tips for reducing those risks (e.g. software to install, ways to change the settings on your phone, etc.) I haven’t identified everything you may need to consider, but it’s a good start:
- Get together and take our live Digital Confidentiality courses together. The courses will discuss approaches to risk management, the process of risk analysis, as well as covering common risks and risk management measures in email, texting, laptops, smart phones and tablets, electronic record-keeping, keeping information online, and more. You can learn a lot of what you need for doing your risk analysis and get some CE credit to boot:
- Subscribe to Person-Centered Tech Support. Our paid subscriber service is by a huge margin the most cost-effective way to get the ongoing, practically on-demand support you need to meet your HIPAA compliance compliance needs.
2) You Can Always Hire a Consultant
The benefit of hiring a consultant to walk you through a risk analysis and risk management plan is that you are likely to save time, although it will cost more money. Be aware that you cannot simply leave it to the consultant, however. Ultimately, you wear all the administrator hats in your practice and will need to put the risk management plan into place. A good consultant will help guide you through doing so, however.
This is another area where HIPAA’s expectations of “scaling” can break down, however. The kind of professional that one typically hires to perform risk analysis and risk management planning is a “security and compliance” professional. These professionals are accustomed to working with organizations and are typically quite expensive to hire. What’s more, they often have a poor understanding of how to assist a solo healthcare practice in making an actionable risk management plan.
For that reason, I am picky about who I recommend as a consultant for my mental health colleagues. My hope is that the following list of trusted consultants will grow over time, and I imagine it will.
Here are consultants I currently trust to refer mental health colleagues to for risk analysis and risk management planning consultation:
- Clinton Campbell, LMHCA CISSP www.quirkconcepts.com
- Chris Apgar, CISSP www.apgarandassoc.com
- Rob Reinhardt, LPC-S NCC www.tameyourpractice.com
Is That All We Need to Do?
This article is about performing a risk analysis and making your risk management plan. However, I just want to make sure you know that part of your risk management plan and also part of HIPAA Security Rule compliance is that you must create a “manual” of security policies and procedures for your practice. That is a topic for a different article, however.